From: Ben Pfaff Date: Sun, 26 Sep 2021 18:06:45 +0000 (-0700) Subject: lexer: Fix use-after-free error in lex_source_get_lookahead(). X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a91180ce13a1d95abed44b0c3cc12c94981bb5d6;p=pspp lexer: Fix use-after-free error in lex_source_get_lookahead(). This code used local variable 'out' as if its value stayed the same from one iteration of the loop to the next, but in fact its scope meant that it became indeterminate on each new iteration. This commit fixes the problem by moving its declaration to an outer scope. Thanks to John Darrington for reporting the problem. --- diff --git a/src/language/lexer/lexer.c b/src/language/lexer/lexer.c index 6d9aec843a..2e6232afdc 100644 --- a/src/language/lexer/lexer.c +++ b/src/language/lexer/lexer.c @@ -1952,6 +1952,7 @@ static bool lex_source_get_lookahead (struct lex_source *src) { struct merger m = MERGER_INIT; + struct token out; for (size_t i = 0; ; i++) { while (lex_stage_count (&src->merge) <= i && !lex_source_get_merge (src)) @@ -1963,7 +1964,6 @@ lex_source_get_lookahead (struct lex_source *src) return false; } - struct token out; int retval = merger_add (&m, &lex_stage_nth (&src->merge, i)->token, &out); if (!retval)